Divided encryption connections to provide network traffic security
Abstract
Security measures are applied to encrypted data exchanges by enabling content decryption, rule application, and content re-encryption at a network location that is between two nodes engaged in a secure transaction. A first encryption-enabled connection is established from the first node to a content filter, while a second encryption-enabled connection is established from the content filter to the second node. Following decryption, a determination is made as to whether the content includes Undesired Data. Restricted material is blocked, while unrestricted material is re-encrypted and delivered to the destination node. In another aspect of the invention, at least one of encrypted Instant Messages, e-mail messages and web pages are decrypted and recorded at a location between sources and destinations of the transmissions.
Claims
exact text as granted — not AI-modified1 . A method of applying security measures to network traffic comprising:
defining rules regarding permissible network transmissions, including enabling some said rules to be specific to individuals to whom said security measures are intended to protect; enabling a secure data exchange between a first node and a second node such that said content of said data exchange is encrypted, including establishing a first encryption-enabled connection from said first node to a content filter and establishing a second encryption-enabled connection from said content filter to said second node; decrypting content of data received at said content filter via said second encryption-enabled connection; applying said rules to determine whether said content includes content in violation of said rules; using said determinations as a basis for enabling or inhibiting continued transmission of said content; re-encrypting said content for which continued transmission is enabled; and providing delivery of said re-encrypted content via said first encryption-enabled connection.
2 . The method of claim 1 wherein establishing said first and second encryption-enabled connections and decrypting said content are executed in a manner transparent to said first and second nodes.
3 . The method of claim 1 wherein said first node is a client and said second node is a server that is accessed by said client via the global communications network referred to as the Internet.
4 . The method of claim 1 wherein at least some said rules are specific to detecting Spyware.
5 . The method of claim 1 wherein establishing said first encryption-enabled connection includes offering a certificate to said first node, said first node being a requester node with respect to said data exchange.
6 . The method of claim 5 further comprising identifying certificate issues to said requester node if said certificate issues are detected while establishing said second encryption-enabled connection.
7 . The method of claim 1 further comprising monitoring Instant Messages (IMs) and e-mail messages that are encrypted exchanges, said monitoring including decrypting and re-encrypting said IMs.
8 . The method of claim 7 further comprising recording said IMs and e-mail messages following said decrypting.
9 . The method of claim 7 wherein said monitoring includes detecting IMs exchanged among computers of a single business.
10 . The method of claim 1 wherein defining said rules includes establishing an ignore list for selected said network transmissions, said decrypting and re-encrypting being disabled upon determining that a particular said network transmission is consistent with said ignore list.
11 . A system for providing security for network traffic comprising:
a first input/output (I/O) interface; a second I/O interface; means for establishing a first encryption-enabled connection to a network node via said first I/O interface and for establishing a second encryption-enabled connection via said second I/O interface; a decryptor coupled to said second I/O interface to decrypt transmissions received via said second I/O interface; a content filter operatively associated with said decryptor to filter Undesired Data that includes at least one of Spyware, Adware, viruses, or other undesirable content or communications, and to pass allowed content; and a re-encryptor operatively associated with said content filter to re-encrypt said allowed content and to direct said re-encrypted allowed content to said first I/O interface.
12 . The system of claim 11 wherein said first and second I/O interfaces are merely two of a greater number of such I/O interfaces of said system.
13 . The system of claim 11 wherein said content filter includes a library of Spyware signatures, each said Spyware signature being specific to an instance of Spyware.
14 . The system of claim 11 wherein said means for establishing is configured to utilize wildcard certificates.
15 . The system of claim 14 wherein said first and second I/O interfaces are at a gateway of a network.
16 . The system of claim 11 wherein said content filter is further configured to decrypt Instant Messages, said first and second I/O interfaces being connected within a network to receive said Instant Messages exchanged within said network.
17 . The system of claim 16 further comprising memory for recording said Instant Messages that have been decrypted.
18 . A method of applying security measures for a network traffic comprising:
monitoring transmissions within said network, regardless of sources and destinations of said transmissions; identifying encrypted transmissions; decrypting said encrypted transmissions; and recording said encrypted transmissions after said decrypting.
19 . The method of claim 18 further comprising re-encrypting said encrypted transmissions following both said decrypting and a step of examining content of said encrypted transmissions.
20 . The method of claim 19 wherein monitoring and recording said transmissions include intercepting Instant Messages and e-mail messages at a network location between said sources and said destinations.
21 . The method of claim 20 wherein monitoring includes forming separate secure connections to said network location to enable end-to-end security between said sources and said destinations.
22 . The method of claim 20 further comprising providing content filtering of said Instant Messages and said e-mail messages on a basis of previously defined rules.
23 . The method of claim 22 wherein monitoring and recording further include intercepting and recording encrypted HTML transmissions.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.